Improved detection of global object

[copy]

Generate Function("return this")() instead of function(){return this}(). The former works in strict mode (for example under node --use_strict or when bundled using webpack), the latter doesn't.

Fixes #699.

[hhugo]

Thanks

[TyOverby]

Because the function constructor is performing an eval, code that contains Function("return this") is not runnable under Content Security Policy without whitelisting "unsafe-eval"

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:".

Because having rigid Content Security Policies (especially WRT eval) is an important factor for web security, I will investigate other methods for achieving this behavior without preventing Js_of_ocaml from being run with heavier security guarantees.

[hhugo]

@copy, I reverted this change. @TyOverby is working on some PR that could solve your original issue.

[copy]

@hhugo @TyOverby Good point. Glad this was reverted before breaking anyone's code.

@TyOverby Do you have something coming up for this? From what I can tell:

• try { Function("return this")() } catch() { /* fallback */ } works, but one still needs to find a fallback that works in all environments with unsafe-eval
• typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : typeof window !== 'undefined' ? window : {} (source) is for example used by browserify, but is not as reliable as the other method, for example in the presence of a variable named global

[TyOverby]

I just read this today. Maybe we should use something similar?